Network scanning is the process of discovering active hosts on the network and
information about the hosts, such as operating system, active ports, services, and
applications. Network scanning is comprised of the following four basic techniques:
■ Network Mapping
Sending messages to a host that will generate a response
if the host is active
■ Port Scanning
Sending messages to a specifi ed port to determine if it
is active
■ Service and Version Detection
Sending specially crafted messages to
active ports to generate responses that will indicate the type and version of
service running
■ OS Detection
Sending specially crafted messages to an active host to generate
certain responses that will indicate the type of operating system running on
the host
Ethernet addresses are also known as Media Access Control (MAC) addresses
and hardware addresses. Because many computers may share a single Ethernet segment,
each one must have an individual identifi er hard-coded onto the network interface card
(NIC). A MAC address is a 48-bit number, which is also stated as a 12-digit hexadecimal
number. This number is broken down into two halves; the fi rst 24 bits identify the
vendor of the Ethernet card, and the second 24 bits comprise a serial number
assigned by the vendor.
The following steps allow you to view your NIC’s MAC address:
■ Windows 9x/ME Access Start | Run and type winipcfg.exe. The MAC
address will be listed as the “Adapter Address.”
■ Windows NT, 2000, XP, and 2003 Access the command line and type
ipconfi g /all. The MAC address will be listed as the “Physical Address.”
■ Linux and Solaris Type ifconfi g –a at the command line. The MAC
address will be listed as the “HWaddr” on Linux and as “ether” on Solaris.
■ Macintosh OS X Type ifconfi g –a at the Terminal application. The MAC
address will be listed as the “Ether” label.
Network Scanning Techniques
Host Discovery
Network scanners use a variety of techniques to solicit responses from a target.
Host discovery is often performed by the following basic techniques:
■ ICMP ECHO Request An ICMP ECHO request is an ICMP type 8
packet, commonly referred to as a ping. If the target IP address is active, an
ICMP ECHO reply (ICMP type 0) is received. Sending ICMP ECHO
requests to multiple hosts is known as a ping sweep.
■ ICMP Timestamp An ICMP Type 13 message is a timestamp query. If the
target IP address is active it will respond with the current time (ICMP type 14).
■ ICMP Address Mask Request An ICMP Type 17 message is an address
mask request. If the target IP address is active it will respond with its
netmask (ICMP type 18).
■ TCP Ping A TCP ping sends a TCP SYN or TCP ACK packet to a target
IP address. You will need to provide a target port number to send the packet
to, such as 21, 25, or 80. If the target IP address is active it will respond, however
the type of response depends on the type of packet sent, the target’s operating
system, and the presence of fi rewalls or router access lists.
■ UDP Ping A UDP Ping sends a UDP packet to a specifi c UDP port at
the target IP address. If the target IP address is active, but the UDP port is
closed, the system will send an ICMP Port Unreachable. However, due to
the connectionless nature of UDP, this type of UDP ping is unique in that
no response from the target also indicates the possibility that the port (and
therefore, the host) is active.
Port and Service Scanning
Once you have identifi ed an active host you can attempt to identify the ports and
services running on that host by performing port scanning.Port scanning sends
a request to solicit a reply from ports on a target computer. There are many different types of port scanning techniques.
■ Connect scan. Connect scans perform a full TCP three way handshake
and open a connection to the target. These scans are easily detected and often
logged by the host. If a TCP port is listening and not fi rewalled it will respond
with a SYN/ACK packet, otherwise the host responds with a RST/ACK
packet.
■ Half-open scan. A half open scan does not complete the full TCP three
way handshake. It is also referred to as a SYN scan. With a half open scan,
when the scanner receives a SYN/ACK from the target host, implying an
open port on the target, the scanner immediately tears down the connection
with a RST. This type of scan used to be considered a stealth scan because
the connection was not completed and therefore not logged by the host;
however it is easily detected by intrusion detection systems.
■ Stealth scan. Stealth scans use various fl ag settings, fragmentation, and other
types of evasion techniques to go undetected. Some examples are a SYN/
ACK scan, a FIN scan, an ACK scan, a NULL scan, and a XMAS (Christmas
Tree) scan. Each of these scan types are covered in detail later in the book.
Port scanning solicits a variety of responses by setting different TCP fl ags or sending
UDP packets with various parameters. Both TCP and UDP each have 65,536 possible
ports (0 through 65,535). You may scan all of them or a subset, such as the most commonly
used ports. For example, it is routine to scan the well-known ports below 1024 that
are associated with common services such as FTP, SSH, Telnet, SMTP, DNS, and HTTP.
Once a port is discovered, a network scanner may perform additional examination to
determine the actual version of the service running on the open port. As with host
discovery, port scanning is also subject to intervention by routers and fi rewalls, thus
port responses may be dropped. Also, some operating systems may not comply with
the requests and drop the packet.
OS Detection
Operating system detection, also called fi ngerprinting, is used to determine the type
of operating system that is running on the target. Fingerprinting can be performed
both actively and passively. With active fi ngerprinting the network scanner sends several
packets to the target with various settings. The responses to the settings are analyzed
and compared to a list of known request/response values to fi nd a match. Operating
systems are all built with identifying characteristics within their TCP/IP stacks and
confi gurations. This includes settings such as the TCP window size and TCP initial
sequence numbers. Passive fi ngerprinting also looks at deviations in TCP/IP stack
implementations; however it looks for these deviations by analyzing the traffi c on the
network. Passive fi ngerprinting does not send any packets to the target; it passively
monitors the target’s communications.
Evasion and Spoofing
A secure network blocks scanning techniques and alerts when a scan is detected. Firewalls
block scanning attempts or drop responses to request packets. Intrusion detection systems
(IDS) monitor network and host activity and create alerts when traffi c matches predefi ned
signatures. Most scanning techniques are easy to detect and will easily trigger IDS
alarms. Attackers therefore use a variety of techniques to scan in stealth mode to evade
fi rewalls and IDSs, including the following:
■ Low and slow scanning Security applications and IDSs watch for a large
number of connections during a short period of time to hosts and ports. Low
and slow scanning is a painfully slow technique that limits the number of hosts
and ports that are scanned in a specifi ed time period. Scanning over a long
period of time reduces the chance of triggering an alert. If the attacker is patient,
this type of scan can be very successful simply because it has a higher chance
of not being detected.
■ Fragmentation Fragmentation splits up TCP-based scan requests over
several packets in an attempt to evade detection.
■ Spoofi ng and decoys Attackers often spoof their IP addresses and use decoys
to evade detection. Spoofi ng changes the source IP address of the scanner. This
technique isn’t effective for obtaining scan results since the scanner won’t receive
replies; it won’t be able to obtain any information about the targets. Decoys are
fake hosts that appear to be scanning your network at the same time the real
attacker is also scanning. This makes it diffi cult to determine which IP address is
the valid scanner.
■ Source ports Another fi rewall evasion technique is to specify a source port
that is allowed through a fi rewall such as port 53 (DNS).
■ IP options Some scanners also allow you to modify IP protocol options
to evade fi rewalls and specify a route to the target.
■ Advanced techniques Other advanced evasion techniques include FTP
bounce scans, idle scans, or proxy tunneling. These will be covered in more
detail later in this book.